Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Cryptic.ARX and Geric2_2.BOMJ detected, can't boot


  • This topic is locked This topic is locked
28 replies to this topic

#1 spsteam

spsteam

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 05 September 2010 - 03:56 PM

My Windows 7 64-bit home machine rebooted itself during normal operation. Upon start up the computer did not detect the hard drive. The Bios screens would come up normally but the when it comes to the point where it detects the drives -- the Bios message said that no drives were found, the Bios then dumped to a black screen with white flashing cursor in the upper left hand side. From there, there is no activity. The only option is to power down.

Attempted to start again, same result. Next, booted to Bios Setup. Here the Bios listed the HDD both the list of attached drives and as an option in the boor priority list. Attempted to change boot priority, but to no avail. Each time, the Bios boots to the blank black screen.

Next attempted to run the Windows 7 DVD off the DVD -- that worked. In the Win7 installation menu, I opted for the Repair utility. The utility runs and then them prompts that the computer must restart to complete installation. The computer automatically restarts but upon booting, the Bios stops before loading the OS -- back to the blank black screen.

Next I purchased a new HDD, disconnected the old drive, connected the new drive and loaded a fresh copy of Win 7 on it. That booted normally and operates without a problem. With Win7 running on the new drive, I connected the old drive (plugged in the SATA cable). Win7 auto detected the old drive normally. All the files were present and could be open normally.

Next I loaded a copy of AVG free-edition onto the new drive and I performed a scan on the old drive. AVG completed a full scan and returned 4 instances of Trojan Cryptic.ARX and one of Generic2_c.BOMJ. AVG moved the files to its vault.

Next I disconnected the new drive and attempted to boot the old drive again -- no luck. Back to the Black screen after Bios could not detect the drive. Next attempted to run Win7 repair utility off the DVD. The utility ran as before, said it needed a reboot to complete the operation. Upon reboot, the computer started back to the black screen with blinking white cursor.

Next disconnected the old drive (now N:), reconnected the new drive (now c:) and registered for bleepingcomptuer. As per the instructions, I loaded the DSS and GMER apps (on the new drive). The DSS file is listed below, but it only shows results for the new drive (C:); not sure if that is helpful. When I ran the GMER application, an error message popped up immediately "C:\Windows\system32\config32\config\system: The system cannot find the file specified." IT then opened the utility showing the same screen as it shown in the bleepingcomputer tutorial for how to post a new topic, except that the only three check boxes that I could select were "services" "registry" "files" and "ADS", the others are greyed out. I selected all that I could and ran the utility for the old drive (N:).


DDS (Ver_10-03-17.01) - NTFSX64
Run by Simon at 13:17:04.96 on Sun 09/05/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8190.5925 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files (x86)\AVG\AVG9\avgchsva.exe
C:\Program Files (x86)\AVG\AVG9\avgrsa.exe
C:\Windows\system32\lsm.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\AVG\AVG9\avgemc.exe
C:\Program Files (x86)\AVG\AVG9\avgnsa.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrvx.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\AVG\AVG9\avgtray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\AVG\AVG9\avgui.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Simon\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mLocal Page = c:\windows\syswow64\blank.htm
mWinlogon: Userinit=userinit.exe
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files (x86)\avg\avg9\avgssie.dll
mRun: [TrueImageMonitor.exe] c:\program files (x86)\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AVG9_TRAY] c:\progra~2\avg\avg9\avgtray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files (x86)\avg\avg9\avgpp.dll
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files (x86)\avg\avg9\avgssiea.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
mRun-x64: [Acronis Scheduler2 Service] "c:\program files (x86)\common files\acronis\schedule2\schedhlp.exe"
AppInit_DLLs-X64: avgrssta.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\simon\appdata\roaming\mozilla\firefox\profiles\nj1cwkj0.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files (x86)\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\windows\syswow64\macromed\flash\NPSWF32.dll

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [2010-8-19 1477728]
R1 AvgLdx64;AVG Free AVI Loader Driver x64;c:\windows\system32\drivers\avgldx64.sys [2010-8-25 269904]
R1 AvgMfx64;AVG Free On-access Scanner Minifilter Driver x64;c:\windows\system32\drivers\avgmfx64.sys [2010-8-25 35536]
R1 AvgTdiA;AVG Free Network Redirector x64;c:\windows\system32\drivers\avgtdia.sys [2010-8-25 317520]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files (x86)\common files\acronis\cdp\afcdpsrv.exe [2010-8-19 2480048]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files (x86)\avg\avg9\avgemc.exe [2010-8-25 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files (x86)\avg\avg9\avgwdsvc.exe [2010-8-25 308136]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2010-8-19 252512]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-6-10 187392]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-20 1255736]

=============== Created Last 30 ================

2010-09-05 19:58:04 0 ----a-w- c:\users\simon\defogger_reenable
2010-08-27 04:26:56 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-08-26 04:07:22 13048 ----a-w- c:\windows\system32\avgrssta.dll
2010-08-26 04:07:21 317520 ----a-w- c:\windows\system32\drivers\avgtdia.sys
2010-08-26 04:07:18 269904 ----a-w- c:\windows\system32\drivers\avgldx64.sys
2010-08-26 04:07:17 35536 ----a-w- c:\windows\system32\drivers\avgmfx64.sys
2010-08-26 04:07:17 0 d-----w- c:\windows\system32\drivers\Avg
2010-08-26 04:05:21 0 d-----w- c:\program files (x86)\AVG
2010-08-26 04:05:10 0 d-----w- c:\programdata\avg9
2010-08-26 03:50:46 35962312 ----a-w- c:\windows\syswow64\MRT.exe
2010-08-25 00:38:31 861184 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-25 00:38:31 571904 ----a-w- c:\windows\syswow64\oleaut32.dll
2010-08-20 10:00:30 0 d-----w- c:\windows\syswow64\Wat
2010-08-20 10:00:30 0 d-----w- c:\windows\system32\Wat
2010-08-20 05:19:58 0 d-----w- c:\programdata\Acronis
2010-08-20 05:17:23 252512 ----a-w- c:\windows\system32\drivers\afcdp.sys
2010-08-20 05:17:21 1477728 ----a-w- c:\windows\system32\drivers\tdrpm258.sys
2010-08-20 05:17:19 943712 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-08-20 05:17:06 271456 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-08-20 01:44:12 0 d-sh--w- c:\windows\Installer
2010-08-20 01:35:46 37888 ----a-w- c:\windows\syswow64\setupnt.dll
2010-08-19 22:25:15 311808 ----a-w- c:\windows\system32\msv1_0.dll
2010-08-19 22:25:15 257024 ----a-w- c:\windows\syswow64\msv1_0.dll
2010-08-19 22:22:59 99176 ----a-w- c:\windows\syswow64\PresentationHostProxy.dll
2010-08-19 22:22:59 49472 ----a-w- c:\windows\syswow64\netfxperf.dll
2010-08-19 22:22:59 48960 ----a-w- c:\windows\system32\netfxperf.dll
2010-08-19 22:22:59 444752 ----a-w- c:\windows\system32\mscoree.dll
2010-08-19 22:22:59 320352 ----a-w- c:\windows\system32\PresentationHost.exe
2010-08-19 22:22:59 297808 ----a-w- c:\windows\syswow64\mscoree.dll
2010-08-19 22:22:59 295264 ----a-w- c:\windows\syswow64\PresentationHost.exe
2010-08-19 22:22:59 1942856 ----a-w- c:\windows\system32\dfshim.dll
2010-08-19 22:22:59 1130824 ----a-w- c:\windows\syswow64\dfshim.dll
2010-08-19 22:22:59 109912 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-08-19 22:19:58 961024 ----a-w- c:\windows\system32\CPFilters.dll
2010-08-19 19:55:16 0 d-----w- c:\windows\syswow64\Macromed
2010-08-19 19:16:51 0 d-----w- c:\windows\Panther
2010-08-19 18:54:19 270208 ------w- c:\windows\system32\MpSigStub.exe
2010-08-19 18:51:47 0 d-----w- c:\program files (x86)\Runtime Software
2010-08-19 18:31:31 220672 ----a-w- c:\windows\system32\wintrust.dll
2010-08-19 18:31:31 172032 ----a-w- c:\windows\syswow64\wintrust.dll
2010-08-19 18:31:31 139264 ----a-w- c:\windows\system32\cabview.dll
2010-08-19 18:31:31 132608 ----a-w- c:\windows\syswow64\cabview.dll
2010-08-19 18:29:58 0 d-sh--w- C:\Recovery

==================== Find3M ====================

2010-07-29 06:30:34 82944 ----a-w- c:\windows\syswow64\iccvid.dll
2010-07-27 14:03:24 12867584 ----a-w- c:\windows\syswow64\shell32.dll
2010-06-30 07:13:46 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-06-30 06:25:31 978432 ----a-w- c:\windows\syswow64\wininet.dll
2010-06-30 06:25:18 1226240 ----a-w- c:\windows\syswow64\urlmon.dll
2010-06-30 06:22:45 606208 ----a-w- c:\windows\syswow64\mstime.dll
2010-06-30 06:22:34 5971456 ----a-w- c:\windows\syswow64\mshtml.dll
2010-06-30 06:22:33 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-06-30 06:21:57 48128 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-06-30 06:21:47 185856 ----a-w- c:\windows\syswow64\iepeers.dll
2010-06-30 06:21:47 176640 ----a-w- c:\windows\syswow64\ieui.dll
2010-06-30 06:21:46 10985472 ----a-w- c:\windows\syswow64\ieframe.dll
2010-06-30 06:21:44 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-06-30 06:19:16 12800 ----a-w- c:\windows\syswow64\msfeedssync.exe
2010-06-19 07:05:01 5507968 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:53:18 52224 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 06:33:29 3955080 ----a-w- c:\windows\syswow64\ntkrnlpa.exe
2010-06-19 06:33:29 3899784 ----a-w- c:\windows\syswow64\ntoskrnl.exe
2010-06-19 06:23:50 37376 ----a-w- c:\windows\syswow64\rtutils.dll
2010-06-19 04:32:34 3122688 ----a-w- c:\windows\system32\win32k.sys
2010-06-16 06:11:10 340992 ----a-w- c:\windows\system32\schannel.dll
2010-06-16 05:48:35 224256 ----a-w- c:\windows\syswow64\schannel.dll
2010-06-08 06:02:06 1233920 ----a-w- c:\windows\syswow64\msxml3.dll
2010-06-08 05:36:31 1877504 ----a-w- c:\windows\system32\msxml3.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 04:55:03 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-07-14 04:55:03 32768 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-07-14 04:55:03 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 13:17:13.69 ===============



Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:57 PM

Posted 13 September 2010 - 04:28 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:57 PM

Posted 20 September 2010 - 05:48 AM

Due to lack of feedback, this topic will now be closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:57 PM

Posted 20 September 2010 - 12:11 PM

Topic reopened as requested. Please follow the steps in my first reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 spsteam

spsteam
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 20 September 2010 - 09:30 PM


Below are the logs from the OTL scan and the OTL extras. I downloaded the Rootkit Unhooker to my desktop using the directions provided. When I double click the RkunhookerLE icon, I receive the standard Windows 7 message window, "Open File - Security Warning" stating that the publisher could not be identified... Run or Cancel. I click Run afterwhich I am immediatly presented witht the following error message, "Error loading driver, NTSTATUS code: 0xC000036B". The application does not run.

Thanks.


*************


OTL logfile created on: 9/20/2010 7:18:37 PM - Run 1
OTL by OldTimer - Version 3.2.14.0 Folder = C:\Users\Simon\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

8.00 Gb Total Physical Memory | 6.00 Gb Available Physical Memory | 70.00% Memory free
16.00 Gb Paging File | 14.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 1397.17 Gb Total Space | 1363.33 Gb Free Space | 97.58% Space Free | Partition Type: NTFS
Drive D: | 3.00 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive N: | 638.44 Gb Total Space | 102.61 Gb Free Space | 16.07% Space Free | Partition Type: NTFS

Computer Name: SIMON-PC
Current User Name: Simon
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/20 19:17:30 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Simon\Desktop\OTL.exe
PRC - [2010/09/09 17:54:48 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2010/09/09 17:54:48 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
PRC - [2010/08/25 21:06:54 | 000,723,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgcsrvx.exe
PRC - [2010/08/25 21:06:45 | 002,065,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgtray.exe
PRC - [2010/08/25 21:06:35 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgemc.exe
PRC - [2010/08/25 21:06:30 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
PRC - [2010/03/27 16:07:26 | 000,362,232 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2010/03/27 16:06:16 | 005,107,232 | ---- | M] (Acronis) -- C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe


========== Modules (SafeList) ==========

MOD - [2010/09/20 19:17:30 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Simon\Desktop\OTL.exe
MOD - [2009/07/13 18:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx
MOD - [2009/07/13 18:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009/07/13 18:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2010/08/25 21:06:35 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/08/25 21:06:30 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/08/19 22:17:22 | 002,480,048 | ---- | M] (Acronis) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2010/03/27 16:09:22 | 001,054,568 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2010/03/18 14:27:14 | 000,138,576 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_64)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/08/25 21:07:22 | 000,317,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgtdia.sys -- (AvgTdiA)
DRV:64bit: - [2010/08/25 21:07:19 | 000,269,904 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgldx64.sys -- (AvgLdx64)
DRV:64bit: - [2010/08/25 21:07:18 | 000,035,536 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\avgmfx64.sys -- (AvgMfx64)
DRV:64bit: - [2010/08/19 22:17:23 | 000,252,512 | ---- | M] (Acronis) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\afcdp.sys -- (afcdp)
DRV:64bit: - [2010/08/19 22:17:21 | 001,477,728 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\tdrpm258.sys -- (tdrpman258) Acronis Try&Decide and Restore Points filter (build 258)
DRV:64bit: - [2010/08/19 22:17:19 | 000,943,712 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\timntr.sys -- (timounter)
DRV:64bit: - [2009/07/13 18:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 18:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 18:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 18:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 18:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 18:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 13:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 13:35:42 | 000,187,392 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/06/10 13:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 13:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 13:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 13:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2007/05/14 16:06:18 | 000,027,520 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys -- (RimUsb)
DRV:64bit: - [2005/03/29 01:30:38 | 000,008,192 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV - [2010/08/19 18:35:46 | 000,082,464 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\snapman.sys -- (snapman)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm






IE - HKU\S-1-5-21-254931848-2096983733-619744941-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-254931848-2096983733-619744941-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-254931848-2096983733-619744941-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = EC 1F B2 CD CE 3F CB 01 [binary data]
IE - HKU\S-1-5-21-254931848-2096983733-619744941-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.845

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files (x86)\AVG\AVG9\Firefox [2010/08/25 21:06:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.9\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/09/09 17:54:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.9\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/09/10 20:12:49 | 000,000,000 | ---D | M]

[2010/08/19 21:50:39 | 000,000,000 | ---D | M] -- C:\Users\Simon\AppData\Roaming\Mozilla\Extensions
[2010/09/18 16:10:37 | 000,000,000 | ---D | M] -- C:\Users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\nj1cwkj0.default\extensions
[2010/08/19 21:50:32 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions

O1 HOSTS File: ([2009/06/10 14:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O4:64bit: - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files (x86)\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\S-1-5-21-254931848-2096983733-619744941-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18:64bit: - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgppa.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20:64bit: - AppInit_DLLs: (avgrssta.dll) - C:\Windows\SysNative\avgrssta.dll (AVG Technologies CZ, s.r.o.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/07/14 02:29:38 | 000,000,122 | R--- | M] () - D:\autorun.inf -- [ UDF ]
O33 - MountPoints2\{e8be3178-b187-11df-bab2-90e6ba105fb7}\Shell - "" = AutoRun
O33 - MountPoints2\{e8be3178-b187-11df-bab2-90e6ba105fb7}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/09/20 19:17:30 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Users\Simon\Desktop\OTL.exe
[2010/09/10 20:12:25 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Adobe
[2010/09/10 20:11:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Adobe AIR
[2010/09/10 20:11:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe
[2010/09/10 20:11:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Adobe
[2010/09/10 20:10:18 | 000,000,000 | ---D | C] -- C:\Users\Simon\AppData\Local\Adobe
[2010/09/08 03:01:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft.NET
[2010/09/05 13:08:07 | 000,000,000 | ---D | C] -- C:\Users\Simon\Desktop\gmer
[2010/08/26 19:44:31 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW
[2010/08/25 21:07:22 | 000,013,048 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\avgrssta.dll
[2010/08/25 21:07:21 | 000,317,520 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgtdia.sys
[2010/08/25 21:07:18 | 000,269,904 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgldx64.sys
[2010/08/25 21:07:17 | 000,035,536 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgmfx64.sys
[2010/08/25 21:07:17 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\Avg
[2010/08/25 21:05:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AVG
[2010/08/25 21:05:10 | 000,000,000 | ---D | C] -- C:\ProgramData\avg9
[2010/08/20 03:00:30 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Wat
[2010/08/20 03:00:30 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Wat
[2010/08/19 22:20:25 | 000,000,000 | ---D | C] -- C:\Users\Simon\AppData\Roaming\Acronis
[2010/08/19 22:19:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Acronis
[2010/08/19 22:16:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Acronis
[2010/08/19 22:16:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Acronis
[2010/08/19 21:50:35 | 000,000,000 | ---D | C] -- C:\Users\Simon\AppData\Roaming\Mozilla
[2010/08/19 21:50:35 | 000,000,000 | ---D | C] -- C:\Users\Simon\AppData\Local\Mozilla
[2010/08/19 21:50:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2010/08/19 18:44:12 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2010/08/19 12:55:47 | 000,000,000 | ---D | C] -- C:\Users\Simon\AppData\Roaming\Macromedia
[2010/08/19 12:55:47 | 000,000,000 | ---D | C] -- C:\Users\Simon\AppData\Roaming\Adobe
[2010/08/19 12:55:16 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Macromed
[2010/08/19 12:16:51 | 000,000,000 | ---D | C] -- C:\Windows\Panther
[2010/08/19 11:51:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Runtime Software
[2010/08/19 11:30:30 | 000,000,000 | R--D | C] -- C:\Users\Simon\Searches
[2010/08/19 11:30:29 | 000,000,000 | -H-D | C] -- C:\Users\Simon\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2010/08/19 11:30:18 | 000,000,000 | ---D | C] -- C:\Users\Simon\AppData\Roaming\Identities
[2010/08/19 11:30:17 | 000,000,000 | R--D | C] -- C:\Users\Simon\Contacts
[2010/08/19 11:30:16 | 000,000,000 | ---D | C] -- C:\Users\Simon\AppData\Local\VirtualStore
[2010/08/19 11:30:09 | 000,000,000 | --SD | C] -- C:\Users\Simon\AppData\Roaming\Microsoft
[2010/08/19 11:30:09 | 000,000,000 | R--D | C] -- C:\Users\Simon\Videos
[2010/08/19 11:30:09 | 000,000,000 | R--D | C] -- C:\Users\Simon\Saved Games
[2010/08/19 11:30:09 | 000,000,000 | R--D | C] -- C:\Users\Simon\Pictures
[2010/08/19 11:30:09 | 000,000,000 | R--D | C] -- C:\Users\Simon\Music
[2010/08/19 11:30:09 | 000,000,000 | R--D | C] -- C:\Users\Simon\Links
[2010/08/19 11:30:09 | 000,000,000 | R--D | C] -- C:\Users\Simon\Favorites
[2010/08/19 11:30:09 | 000,000,000 | R--D | C] -- C:\Users\Simon\Downloads
[2010/08/19 11:30:09 | 000,000,000 | R--D | C] -- C:\Users\Simon\My Documents
[2010/08/19 11:30:09 | 000,000,000 | R--D | C] -- C:\Users\Simon\Desktop
[2010/08/19 11:30:09 | 000,000,000 | -HSD | C] -- C:\Users\Simon\AppData\Local\Temporary Internet Files
[2010/08/19 11:30:09 | 000,000,000 | -HSD | C] -- C:\Users\Simon\Templates
[2010/08/19 11:30:09 | 000,000,000 | -HSD | C] -- C:\Users\Simon\Start Menu
[2010/08/19 11:30:09 | 000,000,000 | -HSD | C] -- C:\Users\Simon\SendTo
[2010/08/19 11:30:09 | 000,000,000 | -HSD | C] -- C:\Users\Simon\Recent
[2010/08/19 11:30:09 | 000,000,000 | -HSD | C] -- C:\Users\Simon\PrintHood
[2010/08/19 11:30:09 | 000,000,000 | -HSD | C] -- C:\Users\Simon\NetHood
[2010/08/19 11:30:09 | 000,000,000 | -HSD | C] -- C:\Users\Simon\Documents\My Videos
[2010/08/19 11:30:09 | 000,000,000 | -HSD | C] -- C:\Users\Simon\Documents\My Pictures
[2010/08/19 11:30:09 | 000,000,000 | -HSD | C] -- C:\Users\Simon\Documents\My Music
[2010/08/19 11:30:09 | 000,000,000 | -HSD | C] -- C:\Users\Simon\My Documents
[2010/08/19 11:30:09 | 000,000,000 | -HSD | C] -- C:\Users\Simon\Local Settings
[2010/08/19 11:30:09 | 000,000,000 | -HSD | C] -- C:\Users\Simon\AppData\Local\History
[2010/08/19 11:30:09 | 000,000,000 | -HSD | C] -- C:\Users\Simon\Cookies
[2010/08/19 11:30:09 | 000,000,000 | -HSD | C] -- C:\Users\Simon\Application Data
[2010/08/19 11:30:09 | 000,000,000 | -HSD | C] -- C:\Users\Simon\AppData\Local\Application Data
[2010/08/19 11:30:09 | 000,000,000 | -H-D | C] -- C:\Users\Simon\AppData
[2010/08/19 11:30:09 | 000,000,000 | ---D | C] -- C:\Users\Simon\AppData\Local\Temp
[2010/08/19 11:30:09 | 000,000,000 | ---D | C] -- C:\Users\Simon\AppData\Local\Microsoft
[2010/08/19 11:30:09 | 000,000,000 | ---D | C] -- C:\Users\Simon\AppData\Roaming\Media Center Programs
[2010/08/19 11:29:58 | 000,000,000 | -HSD | C] -- C:\Recovery
[2010/08/19 11:20:54 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2010/08/19 11:18:49 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2010/08/19 11:18:06 | 000,000,000 | -HSD | C] -- C:\System Volume Information

========== Files - Modified Within 90 Days ==========

[2010/09/20 19:19:42 | 000,786,432 | -HS- | M] () -- C:\Users\Simon\NTUSER.DAT
[2010/09/20 19:19:02 | 000,133,632 | ---- | M] () -- C:\Users\Simon\Desktop\RKUnhookerLE.EXE
[2010/09/20 19:17:30 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Simon\Desktop\OTL.exe
[2010/09/20 18:50:38 | 000,014,160 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/20 18:50:38 | 000,014,160 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/20 18:42:28 | 065,076,344 | ---- | M] () -- C:\Windows\SysNative\drivers\Avg\incavi.avm
[2010/09/19 10:36:36 | 000,726,316 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/09/19 10:36:36 | 000,623,940 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/09/19 10:36:36 | 000,106,316 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/09/15 03:18:11 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/15 03:18:03 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/15 03:17:57 | 2145,947,647 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/15 03:16:41 | 002,672,427 | -H-- | M] () -- C:\Users\Simon\AppData\Local\IconCache.db
[2010/09/10 20:12:49 | 000,002,014 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/09/10 20:11:01 | 000,535,516 | ---- | M] () -- C:\Users\Simon\Desktop\Certificate of Health Family Member.pdf
[2010/09/10 20:10:56 | 000,031,232 | ---- | M] () -- C:\Users\Simon\Desktop\EPRI Authorization to Release Information PFL.doc
[2010/09/10 20:10:53 | 000,125,440 | ---- | M] () -- C:\Users\Simon\Desktop\EPRI Claim Form Employee PFL.doc
[2010/09/10 20:10:48 | 000,042,893 | ---- | M] () -- C:\Users\Simon\Desktop\2010 EPRI CA PFL SPD.pdf
[2010/09/10 20:10:44 | 000,010,369 | ---- | M] () -- C:\Users\Simon\Desktop\Leave of Absence Request.pdf
[2010/09/05 13:01:15 | 000,293,376 | ---- | M] () -- C:\Users\Simon\Desktop\gmer.exe
[2010/09/05 13:01:01 | 000,284,915 | ---- | M] () -- C:\Users\Simon\Desktop\gmer.zip
[2010/09/05 12:58:30 | 000,525,824 | ---- | M] () -- C:\Users\Simon\Desktop\dds.scr
[2010/09/05 12:58:04 | 000,000,000 | ---- | M] () -- C:\Users\Simon\defogger_reenable
[2010/09/05 12:56:50 | 000,050,477 | ---- | M] () -- C:\Users\Simon\Desktop\Defogger.exe
[2010/08/26 21:26:56 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2010/08/26 21:25:00 | 082,822,596 | ---- | M] () -- C:\Users\Simon\Desktop\avg_arl_cd_en_90_100429.zip
[2010/08/25 21:40:16 | 000,080,384 | ---- | M] () -- C:\Users\Simon\Desktop\MBRCheck.exe
[2010/08/25 21:07:23 | 000,013,048 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\avgrssta.dll
[2010/08/25 21:07:23 | 000,001,854 | ---- | M] () -- C:\Users\Public\Desktop\AVG Free 9.0.lnk
[2010/08/25 21:07:22 | 000,317,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgtdia.sys
[2010/08/25 21:07:19 | 000,269,904 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgldx64.sys
[2010/08/25 21:07:18 | 000,035,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgmfx64.sys
[2010/08/25 21:07:17 | 000,113,461 | ---- | M] () -- C:\Windows\SysNative\drivers\Avg\iavichjw.avm
[2010/08/19 22:17:06 | 000,002,345 | ---- | M] () -- C:\Users\Simon\Desktop\Acronis One-Click Backup.lnk
[2010/08/19 22:17:05 | 000,001,211 | ---- | M] () -- C:\Users\Simon\Desktop\Acronis True Image Home 2010.lnk
[2010/08/19 21:50:35 | 000,000,000 | ---- | M] () -- C:\Windows\nsreg.dat
[2010/08/19 21:50:33 | 000,001,963 | ---- | M] () -- C:\Users\Simon\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/08/19 21:50:33 | 000,001,939 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/08/19 18:35:46 | 000,037,888 | ---- | M] () -- C:\Windows\SysWow64\setupnt.dll
[2010/08/19 15:32:22 | 000,274,320 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/08/19 14:58:49 | 000,057,560 | ---- | M] () -- C:\Users\Simon\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/08/19 11:51:49 | 000,001,131 | ---- | M] () -- C:\Users\Simon\Application Data\Microsoft\Internet Explorer\Quick Launch\DriveImage XML.lnk
[2010/08/19 11:51:49 | 000,001,107 | ---- | M] () -- C:\Users\Public\Desktop\DriveImage XML.lnk
[2010/08/19 11:46:10 | 000,001,437 | ---- | M] () -- C:\Users\Simon\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/08/19 11:34:52 | 000,524,288 | -HS- | M] () -- C:\Users\Simon\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
[2010/08/19 11:34:52 | 000,524,288 | -HS- | M] () -- C:\Users\Simon\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
[2010/08/19 11:34:52 | 000,065,536 | -HS- | M] () -- C:\Users\Simon\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
[2010/08/19 11:30:09 | 000,000,020 | -HS- | M] () -- C:\Users\Simon\ntuser.ini
[2010/08/19 11:22:29 | 000,039,252 | ---- | M] () -- C:\Windows\SysWow64\license.rtf
[2010/08/19 11:22:29 | 000,039,252 | ---- | M] () -- C:\Windows\SysNative\license.rtf

========== Files Created - No Company Name ==========

[2010/09/10 20:12:49 | 000,002,014 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/09/10 20:10:59 | 000,535,516 | ---- | C] () -- C:\Users\Simon\Desktop\Certificate of Health Family Member.pdf
[2010/09/10 20:10:56 | 000,031,232 | ---- | C] () -- C:\Users\Simon\Desktop\EPRI Authorization to Release Information PFL.doc
[2010/09/10 20:10:53 | 000,125,440 | ---- | C] () -- C:\Users\Simon\Desktop\EPRI Claim Form Employee PFL.doc
[2010/09/10 20:10:48 | 000,042,893 | ---- | C] () -- C:\Users\Simon\Desktop\2010 EPRI CA PFL SPD.pdf
[2010/09/10 20:10:42 | 000,010,369 | ---- | C] () -- C:\Users\Simon\Desktop\Leave of Absence Request.pdf
[2010/09/05 13:01:01 | 000,284,915 | ---- | C] () -- C:\Users\Simon\Desktop\gmer.zip
[2010/09/05 12:58:30 | 000,525,824 | ---- | C] () -- C:\Users\Simon\Desktop\dds.scr
[2010/09/05 12:58:04 | 000,000,000 | ---- | C] () -- C:\Users\Simon\defogger_reenable
[2010/09/05 12:56:50 | 000,050,477 | ---- | C] () -- C:\Users\Simon\Desktop\Defogger.exe
[2010/08/26 21:26:56 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2010/08/26 21:22:53 | 082,822,596 | ---- | C] () -- C:\Users\Simon\Desktop\avg_arl_cd_en_90_100429.zip
[2010/08/25 21:40:15 | 000,080,384 | ---- | C] () -- C:\Users\Simon\Desktop\MBRCheck.exe
[2010/08/25 21:07:23 | 000,001,854 | ---- | C] () -- C:\Users\Public\Desktop\AVG Free 9.0.lnk
[2010/08/25 21:07:17 | 065,076,344 | ---- | C] () -- C:\Windows\SysNative\drivers\Avg\incavi.avm
[2010/08/25 21:07:17 | 000,113,461 | ---- | C] () -- C:\Windows\SysNative\drivers\Avg\iavichjw.avm
[2010/08/19 22:17:05 | 000,002,345 | ---- | C] () -- C:\Users\Simon\Desktop\Acronis One-Click Backup.lnk
[2010/08/19 22:17:05 | 000,001,211 | ---- | C] () -- C:\Users\Simon\Desktop\Acronis True Image Home 2010.lnk
[2010/08/19 21:50:35 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2010/08/19 21:50:33 | 000,001,963 | ---- | C] () -- C:\Users\Simon\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/08/19 21:50:33 | 000,001,939 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/08/19 18:35:46 | 000,037,888 | ---- | C] () -- C:\Windows\SysWow64\setupnt.dll
[2010/08/19 11:51:49 | 000,001,131 | ---- | C] () -- C:\Users\Simon\Application Data\Microsoft\Internet Explorer\Quick Launch\DriveImage XML.lnk
[2010/08/19 11:51:49 | 000,001,107 | ---- | C] () -- C:\Users\Public\Desktop\DriveImage XML.lnk
[2010/08/19 11:46:10 | 000,001,437 | ---- | C] () -- C:\Users\Simon\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/08/19 11:30:09 | 000,786,432 | -HS- | C] () -- C:\Users\Simon\NTUSER.DAT
[2010/08/19 11:30:09 | 000,524,288 | -HS- | C] () -- C:\Users\Simon\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
[2010/08/19 11:30:09 | 000,524,288 | -HS- | C] () -- C:\Users\Simon\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
[2010/08/19 11:30:09 | 000,262,144 | -HS- | C] () -- C:\Users\Simon\ntuser.dat.LOG1
[2010/08/19 11:30:09 | 000,065,536 | -HS- | C] () -- C:\Users\Simon\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
[2010/08/19 11:30:09 | 000,000,290 | ---- | C] () -- C:\Users\Simon\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2010/08/19 11:30:09 | 000,000,272 | ---- | C] () -- C:\Users\Simon\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2010/08/19 11:30:09 | 000,000,020 | -HS- | C] () -- C:\Users\Simon\ntuser.ini
[2010/08/19 11:30:09 | 000,000,000 | -HS- | C] () -- C:\Users\Simon\ntuser.dat.LOG2
[2010/08/19 11:18:06 | 2145,947,647 | -HS- | C] () -- C:\hiberfil.sys
[2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 14:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

========== LOP Check ==========

[2010/08/19 22:20:25 | 000,000,000 | ---D | M] -- C:\Users\Simon\AppData\Roaming\Acronis
[2009/07/13 22:08:49 | 000,005,884 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report >

OTL Extras logfile created on: 9/20/2010 7:18:37 PM - Run 1
OTL by OldTimer - Version 3.2.14.0 Folder = C:\Users\Simon\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

8.00 Gb Total Physical Memory | 6.00 Gb Available Physical Memory | 70.00% Memory free
16.00 Gb Paging File | 14.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 1397.17 Gb Total Space | 1363.33 Gb Free Space | 97.58% Space Free | Partition Type: NTFS
Drive D: | 3.00 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive N: | 638.44 Gb Total Space | 102.61 Gb Free Space | 16.07% Space Free | Partition Type: NTFS

Computer Name: SIMON-PC
Current User Name: Simon
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-254931848-2096983733-619744941-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" File not found
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{2FDBBCEA-62DB-45F4-B6E5-0E1FB2A1F29D}" = Visual C++ 8.0 Runtime Setup Package (x64)
"{67ED38A3-4882-448B-B44D-3428AB00D7D5}" = Acronis True Image Home
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{F7E1CA14-B39D-452A-960B-39423DDDD933}" = DriveImage XML (Private Edition)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG9Uninstall" = AVG Free 9.0
"Mozilla Firefox (3.6.9)" = Mozilla Firefox (3.6.9)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/14/2010 6:22:35 PM | Computer Name = Simon-PC | Source = Software Protection Platform Service | ID = 8200
Description = License acquisition failure details. hr=0xC004C008

Error - 9/14/2010 6:22:35 PM | Computer Name = Simon-PC | Source = Software Protection Platform Service | ID = 1014
Description = Acquisition of End User License failed. hr=0xC004C008 Sku Id=586bc076-c93d-429a-afe5-a69fbc644e88

Error - 9/14/2010 10:22:35 PM | Computer Name = Simon-PC | Source = Software Protection Platform Service | ID = 8200
Description = License acquisition failure details. hr=0xC004C008

Error - 9/14/2010 10:22:35 PM | Computer Name = Simon-PC | Source = Software Protection Platform Service | ID = 1014
Description = Acquisition of End User License failed. hr=0xC004C008 Sku Id=586bc076-c93d-429a-afe5-a69fbc644e88

Error - 9/15/2010 2:22:35 AM | Computer Name = Simon-PC | Source = Software Protection Platform Service | ID = 8200
Description = License acquisition failure details. hr=0xC004C008

Error - 9/15/2010 2:22:35 AM | Computer Name = Simon-PC | Source = Software Protection Platform Service | ID = 1014
Description = Acquisition of End User License failed. hr=0xC004C008 Sku Id=586bc076-c93d-429a-afe5-a69fbc644e88

Error - 9/15/2010 7:05:50 AM | Computer Name = Simon-PC | Source = Software Protection Platform Service | ID = 8200
Description = License acquisition failure details. hr=0xC004C008

Error - 9/15/2010 7:05:50 AM | Computer Name = Simon-PC | Source = Software Protection Platform Service | ID = 1014
Description = Acquisition of End User License failed. hr=0xC004C008 Sku Id=586bc076-c93d-429a-afe5-a69fbc644e88

Error - 9/15/2010 11:05:50 AM | Computer Name = Simon-PC | Source = Software Protection Platform Service | ID = 8200
Description = License acquisition failure details. hr=0xC004C008

Error - 9/15/2010 11:05:50 AM | Computer Name = Simon-PC | Source = Software Protection Platform Service | ID = 1014
Description = Acquisition of End User License failed. hr=0xC004C008 Sku Id=586bc076-c93d-429a-afe5-a69fbc644e88

[ System Events ]
Error - 8/19/2010 2:22:03 PM | Computer Name = 37L4247E29-32 | Source = Service Control Manager | ID = 7023
Description = The Windows Time service terminated with the following error: %%2

Error - 8/19/2010 3:23:17 PM | Computer Name = Simon-PC | Source = volsnap | ID = 393232
Description = The shadow copies of volume I: were aborted because volume I:, which
contains shadow copy storage for this shadow copy, was force dismounted.

Error - 8/19/2010 9:38:54 PM | Computer Name = Simon-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
snapman

Error - 8/20/2010 5:44:21 AM | Computer Name = Simon-PC | Source = volsnap | ID = 393245
Description = The shadow copies of volume I: were aborted during detection.

Error - 8/25/2010 11:17:38 PM | Computer Name = Simon-PC | Source = Disk | ID = 262159
Description = The device, \Device\Harddisk2\DR2, is not ready for access yet.

Error - 8/25/2010 11:17:38 PM | Computer Name = Simon-PC | Source = Disk | ID = 262159
Description = The device, \Device\Harddisk2\DR2, is not ready for access yet.

Error - 8/25/2010 11:19:32 PM | Computer Name = Simon-PC | Source = volsnap | ID = 393243
Description = The shadow copies of volume N: were aborted during detection because
a critical control file could not be opened.

Error - 9/5/2010 12:47:51 AM | Computer Name = Simon-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the avg9wd service.


< End of report >


#6 spsteam

spsteam
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 20 September 2010 - 09:34 PM

I should have mentioned for clarification that on the OTL log file, as I mention in my original post, Drive C and Drive N are separate physical drives. Drive N is the problem drive that cannot boot. Drive C is a new HDD with a fresh copy of Win 7 and the drive from which I ran the scans above.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:57 PM

Posted 21 September 2010 - 04:09 AM

Thanks for mentioning that. This means that logs are useless. They look for the active windows installation.

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.
  • Double-click on MBRCheck.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • It will open a black screen with some data on it...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will be created on the desktop.
  • Copy and paste the contents of that log in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 spsteam

spsteam
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 21 September 2010 - 11:01 AM

Here is the log from the MBRCheck. It looks like the script ran normally until it started to scan N: at which point it immediately stopped.

******************

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 64-bit
Base Board Manufacturer: ASUSTeK Computer INC.
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: System manufacturer
System Product Name: System Product Name
Logical Drives Mask: 0x0000200c

Kernel Drivers (total 150):
0x0284B000 \SystemRoot\system32\ntoskrnl.exe
0x02802000 \SystemRoot\system32\hal.dll
0x00BAE000 \SystemRoot\system32\kdcom.dll
0x00C88000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00CCC000 \SystemRoot\system32\PSHED.dll
0x00CE0000 \SystemRoot\system32\CLFS.SYS
0x00D3E000 \SystemRoot\system32\CI.dll
0x00E84000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F28000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00F37000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x00F8E000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x00F97000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x00FA1000 \SystemRoot\system32\DRIVERS\pci.sys
0x00FD4000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x00FE1000 \SystemRoot\System32\drivers\partmgr.sys
0x00E00000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x00E15000 \SystemRoot\System32\drivers\volmgrx.sys
0x00E71000 \SystemRoot\system32\DRIVERS\pciide.sys
0x00C00000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x00C10000 \SystemRoot\System32\drivers\mountmgr.sys
0x00E78000 \SystemRoot\system32\DRIVERS\atapi.sys
0x00C2A000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x00C54000 \SystemRoot\system32\DRIVERS\msahci.sys
0x00C5F000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x010BC000 \SystemRoot\system32\drivers\fltmgr.sys
0x01108000 \SystemRoot\system32\drivers\fileinfo.sys
0x01252000 \SystemRoot\System32\Drivers\Ntfs.sys
0x0111C000 \SystemRoot\System32\Drivers\msrpc.sys
0x01200000 \SystemRoot\System32\Drivers\ksecdd.sys
0x0117A000 \SystemRoot\System32\Drivers\cng.sys
0x0121A000 \SystemRoot\System32\drivers\pcw.sys
0x0122B000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x01474000 \SystemRoot\system32\drivers\ndis.sys
0x01566000 \SystemRoot\system32\drivers\NETIO.SYS
0x015C6000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01600000 \SystemRoot\System32\drivers\tcpip.sys
0x01400000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x0183B000 \SystemRoot\system32\DRIVERS\timntr.sys
0x01924000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x01A00000 \SystemRoot\system32\DRIVERS\tdrpm258.sys
0x01B6C000 \SystemRoot\System32\Drivers\spldr.sys
0x01B74000 \SystemRoot\system32\DRIVERS\snapman.sys
0x01BB8000 \SystemRoot\System32\drivers\rdyboost.sys
0x01970000 \SystemRoot\System32\Drivers\mup.sys
0x01BF2000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01982000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x019BC000 \SystemRoot\system32\DRIVERS\disk.sys
0x01800000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x01000000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x019F7000 \SystemRoot\System32\Drivers\Null.SYS
0x01830000 \SystemRoot\System32\Drivers\Beep.SYS
0x0145D000 \SystemRoot\System32\drivers\vga.sys
0x0102A000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x01235000 \SystemRoot\System32\drivers\watchdog.sys
0x0146B000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x015F1000 \SystemRoot\system32\drivers\rdpencdd.sys
0x01245000 \SystemRoot\system32\drivers\rdprefmp.sys
0x013F5000 \SystemRoot\System32\Drivers\Msfs.SYS
0x0104F000 \SystemRoot\System32\Drivers\Npfs.SYS
0x01060000 \SystemRoot\system32\DRIVERS\tdx.sys
0x0107E000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x02E97000 \SystemRoot\System32\Drivers\avgtdia.sys
0x02EE8000 \SystemRoot\System32\DRIVERS\netbt.sys
0x02F2D000 \SystemRoot\system32\drivers\afd.sys
0x02FB7000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x02FC0000 \SystemRoot\system32\DRIVERS\pacer.sys
0x02FE6000 \SystemRoot\system32\DRIVERS\netbios.sys
0x02E00000 \SystemRoot\system32\DRIVERS\serial.sys
0x02E1D000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x02E38000 \SystemRoot\system32\DRIVERS\termdd.sys
0x04207000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x04258000 \SystemRoot\system32\drivers\nsiproxy.sys
0x04264000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x0426F000 \SystemRoot\System32\drivers\discache.sys
0x0427E000 \SystemRoot\System32\Drivers\dfsc.sys
0x0429C000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x042AD000 \SystemRoot\System32\Drivers\avgmfx64.sys
0x042B5000 \SystemRoot\System32\Drivers\avgldx64.sys
0x042FC000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x04322000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x04A83000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x04637000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x0472B000 \SystemRoot\System32\drivers\dxgmms1.sys
0x04771000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x04782000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x047D8000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x04600000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
0x0558B000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x055C9000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0x055D1000 \SystemRoot\system32\DRIVERS\serenum.sys
0x055DD000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x055E6000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x04A00000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x04A16000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x04A3A000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x04A46000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x04338000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x04353000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x04374000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x0438E000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x0439D000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x04632000 \SystemRoot\system32\DRIVERS\swenum.sys
0x043AC000 \SystemRoot\system32\DRIVERS\ks.sys
0x02E4C000 \SystemRoot\system32\DRIVERS\umbus.sys
0x05C04000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x05C5E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x05C73000 \SystemRoot\system32\drivers\HdAudio.sys
0x05CCF000 \SystemRoot\system32\drivers\portcls.sys
0x05D0C000 \SystemRoot\system32\drivers\drmk.sys
0x05D2E000 \SystemRoot\system32\drivers\ksthunk.sys
0x05D34000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x05D51000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x00060000 \SystemRoot\System32\win32k.sys
0x05D53000 \SystemRoot\System32\drivers\Dxapi.sys
0x05D5F000 \SystemRoot\system32\DRIVERS\udfs.sys
0x05DB3000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x05DC1000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x05DDA000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x05DE3000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x05DF1000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x04A75000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00580000 \SystemRoot\System32\TSDDD.dll
0x006B0000 \SystemRoot\System32\cdd.dll
0x043EF000 \SystemRoot\System32\Drivers\crashdmp.sys
0x02E5E000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x02E6A000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x02E75000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x019D2000 \SystemRoot\system32\drivers\luafv.sys
0x0108B000 \SystemRoot\system32\drivers\WudfPf.sys
0x00C6A000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x0888D000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x088A5000 \SystemRoot\system32\drivers\HTTP.sys
0x0896D000 \SystemRoot\system32\DRIVERS\bowser.sys
0x0898B000 \SystemRoot\System32\drivers\mpsdrv.sys
0x089A3000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x08800000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x0884E000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x08C88000 \SystemRoot\system32\DRIVERS\afcdp.sys
0x08CC8000 \SystemRoot\system32\drivers\peauth.sys
0x08D6E000 \SystemRoot\System32\Drivers\secdrv.SYS
0x08D79000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x08DA6000 \SystemRoot\System32\drivers\tcpipreg.sys
0x08C00000 \SystemRoot\System32\DRIVERS\srv2.sys
0x09408000 \SystemRoot\System32\DRIVERS\srv.sys
0x0949E000 \SystemRoot\system32\drivers\spsys.sys
0x0950F000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x77B40000 \Windows\System32\ntdll.dll
0x47D40000 \Windows\System32\smss.exe
0xFFE60000 \Windows\System32\apisetschema.dll
0xFF630000 \Windows\System32\autochk.exe

Processes (total 50):
0 System Idle Process
4 System
524 C:\Windows\System32\smss.exe
676 csrss.exe
752 C:\Windows\System32\wininit.exe
776 csrss.exe
784 C:\Program Files (x86)\AVG\AVG9\avgchsva.exe
800 C:\Program Files (x86)\AVG\AVG9\avgrsa.exe
868 C:\Windows\System32\services.exe
876 C:\Windows\System32\lsass.exe
884 C:\Windows\System32\lsm.exe
988 C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
144 C:\Windows\System32\winlogon.exe
1476 C:\Windows\System32\svchost.exe
1548 C:\Windows\System32\svchost.exe
1636 C:\Windows\System32\svchost.exe
1688 C:\Windows\System32\svchost.exe
1736 C:\Windows\System32\svchost.exe
1916 C:\Windows\System32\svchost.exe
2000 C:\Windows\System32\svchost.exe
1440 C:\Windows\System32\spoolsv.exe
1540 C:\Windows\System32\svchost.exe
2132 C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
2200 C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
2252 C:\Windows\System32\dllhost.exe
2308 C:\Windows\System32\svchost.exe
2664 C:\Program Files (x86)\AVG\AVG9\avgnsa.exe
2700 C:\Program Files (x86)\AVG\AVG9\avgemc.exe
2856 C:\Program Files (x86)\AVG\AVG9\avgcsrvx.exe
3368 C:\Windows\System32\taskhost.exe
3436 C:\Windows\System32\dwm.exe
3524 C:\Windows\explorer.exe
3836 C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
3876 C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
3884 C:\Program Files (x86)\AVG\AVG9\avgtray.exe
3956 C:\Windows\System32\SearchIndexer.exe
3664 C:\Program Files\Windows Media Player\wmpnetwk.exe
4304 C:\Windows\System32\svchost.exe
4668 C:\Windows\System32\sppsvc.exe
4392 C:\Windows\System32\taskhost.exe
3680 C:\Windows\explorer.exe
3192 C:\Windows\explorer.exe
3272 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
3156 C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
4876 C:\Windows\System32\SearchProtocolHost.exe
4896 C:\Windows\System32\SearchFilterHost.exe
1712 C:\Windows\explorer.exe
3432 C:\Users\Simon\Desktop\MBRCheck.exe
2580 C:\Windows\System32\conhost.exe
2064 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)
\\.\N: --> \\.\PhysicalDrive1 at offset 0x00000000`06500000 (NTFS)

PhysicalDrive0 Model Number: WDCWD15EARS-00Z5B1, Rev: 80.00A80
PhysicalDrive1 Model Number: WDCWD10EADS-00L5B1, Rev: 01.01A01

Size Device Name MBR Status
--------------------------------------------
1397 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
931 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 30070887F0E79C03FA19F2E08ADD54A428563E3E


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:57 PM

Posted 21 September 2010 - 01:25 PM

Your second disk is indeed infected with whistler bootkit. How was your original setup? Can you restore that (so the infected HD will boot), boot from the CD and enter the command prompt?

If so, type bootrec /fixmbr and press enter.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 spsteam

spsteam
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 21 September 2010 - 02:11 PM

The old HDD (C:) cannot boot on its own. I gave a bit of a long-form explanation of the observed behavior and steps taken to date in my orginal post. In short, the Win7 recovery methods have not worked for me. With C: connected (n: disconnected) I am able to start up, get the Bios loaded and then specify to boot off the DVD (Win7) which loads the Windows install program. From there, I click repair, it detects the presense of the bad Win 7 install and then provides me with a the standard System Recovery Options screen (options are: Startup Repair [this hasn't worked before]; System Restore [hasn't worked before], System Image Recovery; Windows Memory Diagnostic; Command Prompt). I click on Command Promt and the standard command screen loads showing: X:\Sources> however the module is frozen and I am not able to type anything in.

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:57 PM

Posted 21 September 2010 - 02:29 PM

Please rerun MBRcheck and after the scan finishes type Y and hit enter and let me know if it display any options to fix the PhysicalDrive1 MBR.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 spsteam

spsteam
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 21 September 2010 - 03:01 PM

I ran MBRcheck again, the options it gave me to fix the bad drive are:

[1] Dump the MBR of the physical drive to a file
[2] Restore the MBR of a physical drive with standard boot code.
[3] Exit

I didn't make a selection.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:57 PM

Posted 21 September 2010 - 03:15 PM

Select 2 and see what options there are, if any for PhysicalDevice1

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 spsteam

spsteam
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 21 September 2010 - 03:20 PM

With selection number [2], I'm prompted with the following options:

Enter the physical drive number to fix (I selected [1])..

Available MBR Codes:

[0] Default <Windows 7>
[1] Windows XP
[2] Windows Server 2003
[3] Windows Vista
[4] Windows 2008
[5] Windows 7
[-1] Cancel



#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:57 PM

Posted 21 September 2010 - 03:25 PM

To doublecheck: you had phycal drive numbers 0 and 1 to choose from? If so, 1 is okay. You can then choose 0 for the default Windows 7 mbr code.

When prompted for confirmation: 'Do you want to fix the MBR code?'. Type the full word Yes (not Y or the fix will not work) and press Enter.
Left-click on the title bar (where program name and path is written).
From the menu chose Edit -> Select All.
Press the Enter key on your keyboard to copy selected text.
Open Notepad, paste that text into it and save to your desktop as MBRCheck.txt.
When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
Reboot your computer to complete the fix and copy/paste MBRCheck.txt in your next reply.

Now try and see if the other drive boots on its own.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users